* • 



Mayer 6-9-1 

We claim: 

1. A method fon analyzing at least one gateway in a network, said at least one 

gateway having a packet filtering configuration file including a plurality of rules, said network 
5 having a plurality of addresses, said method comprising the steps of: 

generating a gateway-zone graph that models said network, said gateway-zone 
graph having at least one gateway node corresponding to said at least one gateway and at least 
two zone nodes, wherein said at le&st one gateway is a packet filtering machine and each of said 
, \ zone nodes correspond to a partitioned collection of said addresses created by said at least one 
10 gateway; ^ 
m receiving a query inquiring whether one or more given services are permitted 

^ between at least one source address and at least one destination address; and 



evaluating said query against each of said rules associated with each gateway node 
in said gateway-zone graph that is encountered between said at least one source address and said 



35 at least one destination address. 

fT 2. The method of claim 1, wherein said rules are expressed as rule-base objects 

O 3. The method of claim 1, wherejn said gateway-zone graph is derived from a 

~20 network topology file. 

4. The method of claim 1, wherein saitl query includes a wildcard for at least one of 

said service, source address or destination address. 

25 5. The method of claim 1, further comprising the step of determining a portion of 

said one or more given services that are permitted between at least one source address and at 
least one destination address. 
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6. The method <^f claim 1, further comprising the step of transforming said packet 

filtering configuration files intp a table of logical rules that are processed during said evaluating 
step. 



7. The method of claim 1, wherein said query consists of a source host-group, a 

destination host-group, and a service\host-group. 



8. The method of claim 1, wherein said query specifies a location where packets are 

to be inserted into the network that is different from a source address. 



9. A method of modeling a\ network having a plurality of gateway devices, 
comprising the steps of: 

identifying each gateway device in said network having a packet-filtering rule- 
base and each zone in said network defined by said gateway devices; and 

generating a gateway-zone graph that models said network, said gateway-zone 
graph having a gateway node corresponding to e v ach of said gateway devices and a zone node 
corresponding to each of said zones. 

10. The method of claim 9, wherein saM gateway-zone graph is derived from a 
network topology file. 

11. The method of claim 9, further comprising the step of transforming said packet- 
filtering rule-base into a table of logical rules. 

12. An apparatus for analyzing at least one gateway in a network, said at least one 
gateway having a packet filtering configuration file including a plurality of packet filtering rules, 
said network having a plurality of addresses, said tool comprising:^ 

a user interface for receiving a query inquiring whetfter one or more given services 
are permitted between at least one source address and at least one destination address, wherein 
each of said source addresses and said destination addresses correspond to one of said zones; and 
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a user interface for indicating a portion of said one or more given services that are 
permitted between a pottion of said at least one source address and a portion of said at least one 
destination address, said portions obtained by analyzing a gateway-zone graph that models said 
network with at least one gateway node corresponding to said at least one gateway and at least 
two zone nodes, wherein each of said zone nodes correspond to a partitioned collection of said 
addresses created by said at least one gateway. 

13. The method of claim 12, wherein said rules are expressed as rule-base objects 

14. The method of clami 12, wherein said gateway-zone graph is derived from a 
network topology file. \ 

15. The method of claim 12\ wherein said query includes a wildcard for at least one of 
said service, source address or destination address. 

16. The method of claim 12, wherein said packet filtering configuration files are 
expressed as a set of logical rules. \ 

17. The method of claim 12, wherein said query consists of a source host-group, a 
destination host-group, and a service host-group\ 

18. The method of claim 12, wherein Wid user interface allows a user to specify a 
location where packets are to be inserted into the network that is different from a source address. 

19. An apparatus for analyzing at least one gateway in a network, said at least one 
gateway having a packet filtering configuration file including a plurality of rules, said network 
having a plurality of addresses, said tool comprising: \ 

a memory for storing computer readable coofe; and 

a processor operatively coupled to said memory, said processor configured to: 
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generate a gateway-zone graph that models said network, said gateway-zone graph 
having at least one gateway node corresponding to said at least one gateway and at least two zone 
nodes, wherein said at least one gateway is a packet filtering machine and each of said zone 
nodes correspond to a partitioned collection of said addresses created by said at least one 
gateway; \ 

receive a query Inquiring whether one or more given services are permitted 
between at least one source address and at least one destination address; and 

evaluate said query against each of said rules associated with each gateway node 
in said gateway-zone graph that is encountered between said at least one source address and said 
at least one destination address. \ 

20. The tool of claim 19, whWein said rules are expressed as rule-base objects 

21. The tool of claim 19, wherein said gateway-zone graph is derived from a network 
topology file. \ 

22. The tool of claim 19, wherein said query includes a wildcard for at least one of 
said service, source address or destination adflress. 

23. The tool of claim 19, further comprising the step of determining a portion of said 
one or more given services that are permitted between at least one source address and at least one 
destination address. \ 

24. The tool of claim 19, further comprising the step of transforming said packet 
filtering configuration files into a table of logical rules that are processed during said evaluating 
step. \ 

25. The tool of claim 19, wherein said query consists of a source host-group, a 
destination host-group, and a service host-group. \ 
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26. The tool^of claim 19, wherein said query specifies a location where packets are to 
be inserted into the network that is different from a source address. 

27. A computer readable medium having computer readable program code means 
embodied thereon, said computer readable program code means analyzing at least one gateway in 
a network, said at least one gateway having a packet filtering configuration file including a 
plurality of rules, said network having a plurality of addresses, said computer readable program 
code means comprising: \ 

a step to generate a gateway-zone graph that models said network, said gateway- 
zone graph having at least one gateway node corresponding to said at least one gateway and at 
least two zone nodes, wherein said at least one gateway is a packet filtering machine and each of 
said zone nodes correspond to a partitioned collection of said addresses created by said at least 
one gateway; \ 

a step to receive a query inquiring whether one or more given services are 
permitted between at least one source address and at least one destination address; and 

a step to evaluate said query gainst each of said rules associated with each 
gateway node in said gateway-zone graph that ils encountered between said at least one source 
address and said at least one destination address. \ 

28. A system for modeling a network, comprising: 

a memory for storing computer readable code; and 

a processor operatively coupled to said memory, said processor configured to: 
identify each gateway device in said network having a packet-filtering rule-base 

and each zone in said network defined by said gateway devrices; and 

generate a gateway-zone graph that models sadd network, said gateway-zone graph 

having a gateway node corresponding to each of said gateway devices and a zone node 

corresponding to each of said zones. \ 

29. A computer readable medium having computer readable program code means 
embodied thereon, said computer readable program code means comprising: 
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a stet^to identify each gateway device in a network having a packet-filtering rule- 
base and each zone inlaid network defined by said gateway devices; and 

a step to Venerate a gateway-zone graph that models said network, said gateway- 
zone graph having a gateway node corresponding to each of said gateway devices and a zone 
node corresponding to each of said zones. 
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